|
 |
80384c |
Some test items assume the default SSL cipher is DHE-RSA-AES256-SHA,
|
|
|
80384c |
which is no longer the case as of openssl 1.0.1.
|
|
|
80384c |
This patch enhances connect command by an option to specify a cipher
|
|
|
80384c |
and tests are adjusted to specify the expected cipher explicitly.
|
|
|
80384c |
Upstream bug report: http://bugs.mysql.com/bug.php?id=64461
|
|
|
80384c |
|
|
|
80384c |
diff --git a/client/mysqltest.cc b/client/mysqltest.cc
|
|
|
80384c |
index 2def9bd..128dc00 100644
|
|
|
80384c |
--- a/client/mysqltest.cc
|
|
|
80384c |
+++ b/client/mysqltest.cc
|
|
|
80384c |
@@ -5503,6 +5503,7 @@ void do_connect(struct st_command *command)
|
|
|
80384c |
my_bool con_pipe= 0, con_shm= 0, con_cleartext_enable= 0;
|
|
|
80384c |
my_bool con_secure_auth= 1;
|
|
|
80384c |
struct st_connection* con_slot;
|
|
|
80384c |
+ char *con_cipher=NULL;
|
|
|
80384c |
|
|
|
80384c |
static DYNAMIC_STRING ds_connection_name;
|
|
|
80384c |
static DYNAMIC_STRING ds_host;
|
|
|
80384c |
@@ -5595,6 +5596,8 @@ void do_connect(struct st_command *command)
|
|
|
80384c |
con_cleartext_enable= 1;
|
|
|
80384c |
else if (!strncmp(con_options, "SKIPSECUREAUTH",14))
|
|
|
80384c |
con_secure_auth= 0;
|
|
|
80384c |
+ else if (!strncmp(con_options, "CIPHER:", 7))
|
|
|
80384c |
+ con_cipher = con_options + 7;
|
|
|
80384c |
else
|
|
|
80384c |
die("Illegal option to connect: %.*s",
|
|
|
80384c |
(int) (end - con_options), con_options);
|
|
|
80384c |
@@ -5642,8 +5645,11 @@ void do_connect(struct st_command *command)
|
|
|
80384c |
if (con_ssl)
|
|
|
80384c |
{
|
|
|
80384c |
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
|
|
|
80384c |
+ /* default cipher */
|
|
|
80384c |
+ if (con_cipher == NULL && opt_ssl_cipher != NULL)
|
|
|
80384c |
+ con_cipher = opt_ssl_cipher;
|
|
|
80384c |
mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
|
|
|
80384c |
- opt_ssl_capath, opt_ssl_cipher);
|
|
|
80384c |
+ opt_ssl_capath, con_cipher);
|
|
|
80384c |
mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
|
|
|
80384c |
mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
|
|
|
80384c |
#if MYSQL_VERSION_ID >= 50000
|
|
|
80384c |
diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result
|
|
|
80384c |
index a767a71..3c1ee27 100644
|
|
|
80384c |
--- a/mysql-test/r/openssl_1.result
|
|
|
80384c |
+++ b/mysql-test/r/openssl_1.result
|
|
|
80384c |
@@ -197,8 +197,6 @@ Variable_name Value
|
|
|
80384c |
Ssl_cipher EDH-RSA-DES-CBC3-SHA
|
|
|
80384c |
Variable_name Value
|
|
|
80384c |
Ssl_cipher AES256-SHA
|
|
|
80384c |
-Variable_name Value
|
|
|
80384c |
-Ssl_cipher RC4-SHA
|
|
|
80384c |
select 'is still running; no cipher request crashed the server' as result from dual;
|
|
|
80384c |
result
|
|
|
80384c |
is still running; no cipher request crashed the server
|
|
|
80384c |
diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test
|
|
|
80384c |
index 426de1e..f8c6203 100644
|
|
|
80384c |
--- a/mysql-test/t/openssl_1.test
|
|
|
80384c |
+++ b/mysql-test/t/openssl_1.test
|
|
|
80384c |
@@ -20,13 +20,13 @@ grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA
|
|
|
80384c |
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
|
|
|
80384c |
flush privileges;
|
|
|
80384c |
|
|
|
80384c |
-connect (con1,localhost,ssl_user1,,,,,SSL);
|
|
|
80384c |
-connect (con2,localhost,ssl_user2,,,,,SSL);
|
|
|
80384c |
-connect (con3,localhost,ssl_user3,,,,,SSL);
|
|
|
80384c |
-connect (con4,localhost,ssl_user4,,,,,SSL);
|
|
|
80384c |
+connect (con1,localhost,ssl_user1,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
+connect (con2,localhost,ssl_user2,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
+connect (con3,localhost,ssl_user3,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
+connect (con4,localhost,ssl_user4,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
|
80384c |
--error ER_ACCESS_DENIED_ERROR
|
|
|
80384c |
-connect (con5,localhost,ssl_user5,,,,,SSL);
|
|
|
80384c |
+connect (con5,localhost,ssl_user5,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
|
|
|
80384c |
connection con1;
|
|
|
80384c |
# Check ssl turned on
|
|
|
80384c |
@@ -125,7 +125,7 @@ drop table t1;
|
|
|
80384c |
# verification of servers certificate by setting both ca certificate
|
|
|
80384c |
# and ca path to NULL
|
|
|
80384c |
#
|
|
|
80384c |
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
|
|
|
80384c |
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
|
|
|
80384c |
--echo End of 5.0 tests
|
|
|
80384c |
|
|
|
80384c |
#
|
|
|
80384c |
@@ -215,7 +215,6 @@ DROP TABLE t1;
|
|
|
80384c |
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=DHE-RSA-AES256-SHA
|
|
|
80384c |
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC3-SHA
|
|
|
80384c |
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
|
|
|
80384c |
---exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=RC4-SHA
|
|
|
80384c |
--disable_query_log
|
|
|
80384c |
--disable_result_log
|
|
|
80384c |
|
|
|
80384c |
@@ -250,7 +249,7 @@ select 'is still running; no cipher request crashed the server' as result from d
|
|
|
80384c |
|
|
|
80384c |
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
|
|
|
80384c |
FLUSH PRIVILEGES;
|
|
|
80384c |
-connect(con1,localhost,bug42158,,,,,SSL);
|
|
|
80384c |
+connect(con1,localhost,bug42158,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
SHOW STATUS LIKE 'Ssl_cipher';
|
|
|
80384c |
disconnect con1;
|
|
|
80384c |
connection default;
|
|
|
80384c |
diff --git a/mysql-test/t/plugin_auth_sha256_tls.test b/mysql-test/t/plugin_auth_sha256_tls.test
|
|
|
80384c |
index f99df8a..1b38fda 100644
|
|
|
80384c |
--- a/mysql-test/t/plugin_auth_sha256_tls.test
|
|
|
80384c |
+++ b/mysql-test/t/plugin_auth_sha256_tls.test
|
|
|
80384c |
@@ -1,7 +1,7 @@
|
|
|
80384c |
--source include/not_embedded.inc
|
|
|
80384c |
--source include/have_ssl.inc
|
|
|
80384c |
|
|
|
80384c |
-connect (ssl_con,localhost,root,,,,,SSL);
|
|
|
80384c |
+connect (ssl_con,localhost,root,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
SHOW STATUS LIKE 'Ssl_cipher';
|
|
|
80384c |
|
|
|
80384c |
CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password';
|
|
|
80384c |
diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test
|
|
|
80384c |
index ea8be39..c61ca8b 100644
|
|
|
80384c |
--- a/mysql-test/t/ssl.test
|
|
|
80384c |
+++ b/mysql-test/t/ssl.test
|
|
|
80384c |
@@ -8,7 +8,7 @@
|
|
|
80384c |
# Save the initial number of concurrent sessions
|
|
|
80384c |
--source include/count_sessions.inc
|
|
|
80384c |
|
|
|
80384c |
-connect (ssl_con,localhost,root,,,,,SSL);
|
|
|
80384c |
+connect (ssl_con,localhost,root,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
|
|
|
80384c |
# Check ssl turned on
|
|
|
80384c |
SHOW STATUS LIKE 'Ssl_cipher';
|
|
|
80384c |
diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test
|
|
|
80384c |
index d94c2fc..c27ca58 100644
|
|
|
80384c |
--- a/mysql-test/t/ssl_8k_key.test
|
|
|
80384c |
+++ b/mysql-test/t/ssl_8k_key.test
|
|
|
80384c |
@@ -4,7 +4,7 @@
|
|
|
80384c |
#
|
|
|
80384c |
# Bug#29784 YaSSL assertion failure when reading 8k key.
|
|
|
80384c |
#
|
|
|
80384c |
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
|
|
|
80384c |
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
|
|
|
80384c |
|
|
|
80384c |
## This test file is for testing encrypted communication only, not other
|
|
|
80384c |
## encryption routines that the SSL library happens to provide!
|
|
|
80384c |
diff --git a/mysql-test/t/ssl_compress.test b/mysql-test/t/ssl_compress.test
|
|
|
80384c |
index 2cb4c0d..feaa0e7 100644
|
|
|
80384c |
--- a/mysql-test/t/ssl_compress.test
|
|
|
80384c |
+++ b/mysql-test/t/ssl_compress.test
|
|
|
80384c |
@@ -9,7 +9,7 @@
|
|
|
80384c |
# Save the initial number of concurrent sessions
|
|
|
80384c |
--source include/count_sessions.inc
|
|
|
80384c |
|
|
|
80384c |
-connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
|
|
|
80384c |
+connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS CIPHER:DHE-RSA-AES256-SHA);
|
|
|
80384c |
|
|
|
80384c |
# Check ssl turned on
|
|
|
80384c |
SHOW STATUS LIKE 'Ssl_cipher';
|
|
|
743cec |
--- mysql-5.6.33/mysql-test/t/ssl_ca.test~ 2016-08-26 13:22:35.000000000 +0200
|
|
|
743cec |
+++ mysql-5.6.33/mysql-test/t/ssl_ca.test 2016-09-19 11:57:00.921940616 +0200
|
|
|
743cec |
@@ -7,10 +7,10 @@
|
|
|
743cec |
|
|
|
743cec |
--echo # try to connect with wrong '--ssl-ca' path : should fail
|
|
|
743cec |
--error 1
|
|
|
743cec |
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
|
|
|
743cec |
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
|
|
|
743cec |
|
|
|
743cec |
--echo # try to connect with correct '--ssl-ca' path : should connect
|
|
|
743cec |
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
|
|
|
743cec |
--echo #
|
|
|
743cec |
--echo # Bug#21920678: SSL-CA DOES NOT ACCEPT ~USER TILDE HOME DIRECTORY
|
|
|
743cec |
@@ -21,12 +21,12 @@
|
|
|
743cec |
|
|
|
743cec |
--echo # try to connect with '--ssl-ca' option using tilde home directoy
|
|
|
743cec |
--echo # path substitution : should connect
|
|
|
743cec |
---exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
+--exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
|
|
|
743cec |
--echo # try to connect with '--ssl-key' option using tilde home directoy
|
|
|
743cec |
--echo # path substitution : should connect
|
|
|
743cec |
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
|
|
|
743cec |
--echo # try to connect with '--ssl-cert' option using tilde home directoy
|
|
|
743cec |
--echo # path substitution : should connect
|
|
|
743cec |
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
--- mysql-5.6.33/mysql-test/t/ssl_crl.test~ 2016-08-26 13:22:35.000000000 +0200
|
|
|
743cec |
+++ mysql-5.6.33/mysql-test/t/ssl_crl.test 2016-09-19 11:53:23.177566131 +0200
|
|
|
743cec |
@@ -32,9 +32,9 @@
|
|
|
743cec |
--echo # try to connect with '--ssl-crl' option using tilde home directoy
|
|
|
743cec |
--echo # path substitution : should connect
|
|
|
743cec |
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
|
|
|
743cec |
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
|
|
|
743cec |
--echo # try to connect with '--ssl-crlpath' option using tilde home directoy
|
|
|
743cec |
--echo # path substitution : should connect
|
|
|
743cec |
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
|
|
|
743cec |
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|
|
|
743cec |
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir --ssl-cipher=DHE-RSA-AES256-SHA test -e "SHOW STATUS LIKE 'Ssl_cipher'"
|